locked
Edge server user authentication error RRS feed

  • Question

  • Hi experts,

    I have deployed the following test configuration:

    1. Domain name - moon.local
        SIP domain - moon.local
    2. Domain Controller, DNS server & Enterprise Certification Authority - ad.moon.local, IP 192.168.10.1
        All recuired A and SRV records are created, hopefully as they should be.
    3. OCS 2007 Standard Edition Server - fe1.moon.local, IP 192.168.10.2
    4. Edge server - DG1 in WORKGROUP - with 3 NIC foir the different interfaces:
       4.1. Internal NIC - IP 192.168.10.3, FQDN dg1.moon.local
       4.2. External NIC for Access Edge - IP 192.168.50.1, FQDN sip.outside.com
       4.3. External NIC for Web Conferencing - IP 192.168.50.2, FQDN web.outside.com
    5. No A/V edge server is deployed
    6. No Reverse proxy is deployed
    7. No Director is deployed
    8. All used certificates are issued from the local Enterprise CA

    OCS server configuration:
     Web Conferencing Edge Server Settings
       Internal Port: 8057
       External Port: 443
       Internal FQDN:      External FQDN:
       dg1.moon.local      web.outside.com

      All possible options enabling user access to Web conferencing and IM are set.

    OCS server certificate:
      SN = fe1.moon.local
      SAN = sip.moon.local, fe1.moon.local

    Edge server configuration:
      Access Edge:
        Federation external - 192.168.50.1 : 5061
        Remote external - 192.168.50.1 : 443
        Internal - 192.168.10.3 : 5061
        Next hop - 192.168.10.2 : 5061

        Certificate:
          SN = sip.outside.com
          SAN = sip.outside.com, sip.moon.local, dg1

      Web Conferencing Edge:
        External - 192.168.50.2 : 443
        Internal - 192.168.10.3 : 8057

        Certificate:
          SN = web.outside.com
          SAN = web.outside.com, sip.moon.local, dg1

       Internal certificate:
          SN = dg1.moon.local
          SAN = dg1.moon.local, dg1

     
    The validation of OCS server is successful. All services are runing and can be used internally.
    The validation of Edge server fails with the following error:

    Diagnose Server -> Check Configuration -> Check user logon -> Attempting to login user using NTLM
     Failure [0xC3FC200D] One or more errors were detecte

    Maximum hops: 2
    Registration timed-out.: User sip:test1@moon.local @ Server sip.outside.com
    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.

    and

    Maximum hops: 2
    Failed to register user: User sip:test2@moon.local @ Server sip.outside.com
    Failed to send SIP request: An existing connection was forcibly closed by the remote host
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.


    The Event log of the Edge server contains the following:
    1. Warning:
        A configured certificate could not be loaded from store. The serial number is attached for reference. Extended Error Code: 0x80092004.
        Cause: This could happen if the certificate is not found or if the server has insufficient privileges to read and/or access the store containing the certificate.
    2. Error:
        Unable to use a certificate as configured
        Transport:TLS, IP address:192.168.50.1, Port:5061. Error:0x0xC3E93C0D (SIP_E_STACK_TRANSPORT_CERT_NOT_FOUND).
        Cause: The certificate may have been deleted or the configuration is erroneous.
        Resolution:
        Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.


    I tried many varians of certificates for the internal and external interfaces of the Egde server - the same error occurred everytime.

    Have someone faced such problems? Could someone help me resolve this issue?

    Thanks in advance!
    Monday, June 1, 2009 7:41 AM

All replies

  • What happens when attempting to sign-in externally from Communicator?  I've seen stuff like that in the Edge Validation before in an otherwise perfectly working environment, so I've learned to ignore some of the 'failure to register' errors; it depends on if both NTLM and Kerberos are supported in the current configuration.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, June 2, 2009 12:52 PM
    Moderator
  • Hi Jeff,

    When i try to login using The Communicator  with Sign-in address: test1@moon.local and Server:  sip.outside.com:443, it wants me to enter the name and password so I enter user: moon\test1 and pass: test1 (as it is set in the domain controller), and always says:
    "Cannot sign in to Communicator. You may have entered your entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator.".
    Wednesday, June 3, 2009 11:40 AM
  • Finally I managed to sign-in externally from Communicator. Do not as me how - I do not know what exactly let it happen, I made a lot of changes in the certificates and other settings.

    Now another problem has to be resolved - joining externally to a Live Meeting conference initiated from other user. I can successfully create and join existing conference from inside. Live Meeting client always returns the following error message:

         Live Meeting cannot connect to the meeting.

         Wait a few moments, and then try to join the meeting again.

         If you still cannot connect, contact your administrator or technical support.



    Is it possible to join a meeting from the outside if no Reverse proxy is installed and configured?
    Thursday, June 18, 2009 1:35 PM
  • Yes, it's possible to connect externally without the Reverse Proxy; the only feature that gives is shared content download form the Web Components service. 

    Make sure that you have your External Web Farm FQDN populated with at least something, even if you don't have a reverse proxy configured with a valid, resolvable FQDN.  If the value is blank then Live Meeting clients can't connect through the Edge server.  You could just duplicate the internal FQDN, or pick an FQDN that you end up using at some point.

    See this blog article for more details: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=67
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, June 18, 2009 5:03 PM
    Moderator
  • Thanks, Jeff!

    When I installed the OCS I set as external web farm FQDN sip.outside.com (the same as the external FQDN of the Access Edge server). I did not know what was hiding behind that "external web farm FQDN". Could it be the problem?

    I testet successfully all connections with TELNET as advised in the BLOG ARTICLE.

    When I start Live Meeting in external PC I see the following errors in the trace file:

    06/19/2009|16:30:15.359 4DC:764 INFO  :: Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1062) 708 bytes:
    06/19/2009|16:30:15.359 4DC:764 INFO  :: SIP/2.0 401 Unauthorized
    ms-user-logon-data: RemoteUser
    Date: Fri, 19 Jun 2009 13:28:49 GMT
    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname=" fe1.moon.local", version=3
    WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/ fe1.moon.local", version=3
    From: <sip:test@moon.local>;tag=798a3a087b;epid=32c995c617
    To: <sip:test2@moon.local;gruu;opaque=app:conf:focus:id:1549994c91034f619d1ba7d857d47857>;tag=9D682A19BAE6A9C3E10FD2AE39064530
    Call-ID: a634b03b297344209bdc62ac1ae007b6
    CSeq: 1 INVITE
    Via: SIP/2.0/TLS 192.168.50.115:1062;ms-received-port=1062;ms-received-cid=1100
    Content-Length: 0
    06/19/2009|16:30:15.359 4DC:764 INFO  :: End of Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1062) 708 bytes
    .
    .
    .
    06/19/2009|16:30:15.250 4DC:764 INFO  :: Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1060) 442 bytes:
    06/19/2009|16:30:15.250 4DC:764 INFO  :: SIP/2.0 481 Call Leg Does Not Exist
    ms-user-logon-data: RemoteUser
    From: <sip:test@moon.local>;tag=59e5788a1e;epid=32c995c617
    To: <sip:test2@moon.local;gruu;opaque=app:conf:focus:id:1549994c91034f619d1ba7d857d47857>;tag=4158EA73910F66BAB59D1C37B9C1DEEA
    Call-ID: 2a9d2e9c82f14888a4973463b47fbc53
    CSeq: 1 CANCEL
    Via: SIP/2.0/TLS 192.168.50.115:1060;ms-received-port=1060;ms-received-cid=1000
    Content-Length: 0

    06/19/2009|16:30:15.250 4DC:764 INFO  :: End of Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1060) 442 bytes


    And this I found in the Even Log of the Edge Server:

    Failed to process data received from the client

    Over the past 0 minutes Office Communications Server has disconnected clients 1 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is "192.168.50.115:1042".
    Cause: Failed to process data received from the client
    Resolution:
    Check and make sure that the connection came from a trustworthy client.
    .
    .
    .
    Timed out waiting for client to present validation cookie

    Over the past 0 minutes Office Communications Server has disconnected client(s) 1 time(s) because of timing out waiting for cookie to be presented. The last such client which was disconnected is "192.168.50.115:1043"
    Cause: This can occur if client does not present a validation cookie within 20 seconds of getting connected
    Resolution:
    Check to make sure that the connection came from a trustworthy client. This could indicate an attack being mounted by a rogue client.
    .
    .
    .
    Server connection failed to establish.

    Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090308 (The token supplied to the function is invalid
    ) while trying to connect to the host "".
    Cause: This can occur if the destination is not configured or unreachable from this host.
    Resolution:
    Check your topology configuration to ensure the destination host can be reached and is a valid Web Conferencing Server configured to accept connections.


    Any ideas what could cause problems?

    Friday, June 19, 2009 2:14 PM